Eero Nevalainen wrote:
After that, it's just a matter of getting the
username from the session-stored object for subsequent queries.
How do you store the session ID in the client browser?
I have seen a similar problem with a login page that handed out Session
IDs in the URLs contained in the page. The page was sent out with
"Cache-control: no-cache", but no "Expires:" header. The
"Cache-control:" header was introduced in HTTP 1.1, whereas in HTTP 1.0,
the only way to control caching is the "Expires:" header. A HTTP 1.0
proxy cache thus had no usable caching directive and applied its default
caching policy. As a result, users behind such a proxy could obtain the
same session ID and see each other's data.
Moral: when using "Cache-control:", always use "Expires:" as well for
HTTP 1.0 caches.
Regards,
Oliver Schoett
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
